Thunderbird 38.5.0 is now available / special notice

R Kent James kent at
Tue Dec 29 18:46:55 UTC 2015

My understanding is that later Microsoft OSes will accept installs of 
apps signed with SHA-1 certificates for a limited amount of time, but 
only if they were signed prior to 2016-01-01. So what you describe 
applies to later Microsoft OSes, not XP SP2. That OS knows nothing of 
any of this, and has no support or SHA-2 certificates (hence will fail 
with our latest apps that are signed using SHA-2). Per Microsoft 

"I am still targeting software for distribution to Windows XP SP1, SP2 
and Windows Server 2003. How might I be affected by these requirements?

The deprecation policies will not be targeted at those systems. Those 
systems however do not have SHA-2 support and no patch is available to 
add that support either. Developers can use SHA-1 code signing 
certificates and SHA-1 file hashes to sign their code. SHA-1 timestamps 
should be used as well."


"Windows trusts SHA1 (if timestamped prior to 1/1/2016) and SHA-2 (any 
timestamp)" for Code Signing certificates.

Nevertheless, there seems to be a lot of confusion about what all of 
this really means.

On 12/29/2015 3:53 AM, Gervase Markham wrote:
> On 23/12/15 21:01, R Kent James wrote:
>> One possibility is to drop support completely for XP SP2 or earlier. The
>> other option is to have additional builds, signed with older
>> certificates, that will install on XP SP2 or earlier. That solution
>> might only be valid for another year or so, however.
> If you are going to make such builds, they need to exist before midnight
> on December 31st :-) You may be able to use existing builds, of course.
> Gerv
> _______________________________________________
> tb-planning mailing list
> tb-planning at

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the tb-planning mailing list